Privacy Policy

INFORMATION ON THE PROCESSING OF PERSONAL DATA

1: PREMISES.

This policy will attempt to explain who and how processes the data of the data subject (also called the User), what their data are, and what their rights are and how they can exercise them. For special clarifications, where the User does not understand or does not consider what is included in the policy sufficient, please write to the following address: amministrazione@artigiantubi.it

2: SOME IMPORTANT NOTIONS ABOUT PERSONAL DATA

What is meant by personal data? Personal data is any information that relates to an identifiable natural person. An email address is personal data.

What does it mean to process data? The legal definition of processing includes any operation or set of operations concerning the collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, erasure and destruction of data. Basically then all that can be done with user data is treatment. Already, therefore, collecting or reading data for example, i.e., consulting them, is processing.

Why are they important to the data subject? The data tell who the data subject is and what he or she does. They are his, so precisely because they are “his,” they are important, and it is also clear that as “his,” he has the right to decide whether to let third parties handle them, and to know how this is done.

Why are they important for Arti giantubiand its related services? They are important because they allow Artigiantubi to make its news known to its Customers in a more effective way.

3: WHO PROCESSES THE DATA

Data controller is the person who makes the decisions about how to process data, so – among other things – what precautions to take to protect it, where to house it (whether on servers or in the cloud, etc.), what data to ask from the user, what to process and for what purpose, what and to whom to give it away, how to handle user relationships and rights, who to choose as a collaborator, manager or simple appointee to process the data, what instructions to give to collaborators, etc. Therefore, since the data controller is very important, let the user know that it is:

Artigiantubi S.r.l.

Headquarters: Trezzo sull’Adda (MI), Via Pio la Torre 10/12.

VAT and Tax Identification Number: 11718280156

Tel: 0290961785

Fax: 0290961624

Email: amministrazione@artigiantubi.it

PEC: amministrazione@pec.artigiantubi.it

Website: www.artigiantubi.it

Then, with regard to any ancillary functions, Artigiantubi may make use of internal individuals authorized to process (also called data processors) or external parties mostly as data controllers.

3/a: TO WHOM DATA ARE RELEASED (or WHO IS ALLOWED ACCESS TO THEM).

The data are disclosed to individuals within the Owner (the employees) who cooperate in the administrative management of the company.

They may be further disclosed in compliance with reporting requirements in the event of a request from a public authority (e.g., request from the court, tax assessment, etc…).

It is important to know that Artigiantubi can only manage and dominate data stored and processed within its own system: data transferred or disclosed to third parties will, in the manner and to the extent, be independently processed by the third parties to whom they are disclosed according to their own privacy policies. In any case, where Artigiantubi ceases to process a user’s personal data, it will also give notice of the cessation to those to whom such data have been disclosed, but it cannot guarantee the cessation of processing by them.

4: WHERE HE TREATS THEM

Artigiantubi processes Users’ personal data at its premises.

5: WHAT DATA IS PROCESSED

Based on the significant quality of the data, one can identify:

– Contact information: email;

– Identifying Data: first name, last name.

– Content data: the content of the communication sent by the User through the appropriate form/form on the site (
https://artigiantubi.it/contatti/
).

6: FOR WHAT PURPOSES THEY ARE PROCESSED, AND INDICATION OF THE LEGAL BASIS AND RETENTION PERIOD.

Artigiantubi processes Customer data for the following purposes:

  1. Responding to User Inquiries;
    Legal basis: performance of the service;
    Duration: data are processed as long as they serve the purpose for which they are given.
    Therefore, if they are given for the sole purpose of formulating the quote, they will be kept until the quote itself is eventually rejected by the user. Where, on the other hand, the estimate is consolidated into a contract, they will be processed as part of Artigiantubi’s performance of the contract. In any case, in the case of communications with contractual or pre-contractual content, the commercial nature of the communications allows retention for the duration of 10 years.
    The following personal data of the User are processed for these purposes: e-mail, first and/or last name, content data (see point no. 5).

7: HOW THE DATA ARE CONFERRED

Data are provided directly by the User by filling out the appropriate form on the site.

8: WHICH DATA ARE MANDATORY AND WHICH ARE OPTIONAL (AND THE CONSEQUENCES OF REFUSING TO GIVE DATA)

The User’s contact and identification information is mandatory (can enter first or last name, not necessarily both). Failure to confer it will result in the inability to perform the service (response to the email forwarded through the form) requested.
In addition, it is optional but essentially physiological data that are formed in the drafting of the communication. As for the latter, it is not possible to discriminate between mandatory and optional, as they are formed as a natural consequence of the drafting of the communication.

9: HOW THEY ARE TREATED

Data are collected and processed by electronic means.

They are hosted on servers located in EU territory.

Only duly authorized persons with individual authentication credentials may access and process the data within the scope of the assignment received.

10: HOW LONG THEY ARE TREATED

However, for the relative length of time for individual purposes, see item no. 6.

11: WHAT È THE LEGAL BASIS FOR THE PROCESSING

Data are processed on the basis of the execution of the contract. See for a detailed exposition item no. 6.

12: HOW THE SERVICE WILL “DISRUPT” THE USER

Artigiantubi will “bother” the User in the following ways:

  • You may receive emails, (i.e., phone calls, messages or other communications where the body of the text indicates such contact information from the user) from Artigiantubi: these will be operational communications or otherwise in response to the communication/request sent by the User. These communications are essential for the regular management of the relationship with and response to the User.

13: WHAT ARE THE RIGHTS OF USERS

Users are beneficiaries of a number of rights.

Information rights about:

  • Categories of data are processed (see point #2 and #5);

  • Data origin, i.e., knowing where the service got its data from (see item #7);

  • Purposes of data processing, i.e., for what purposes the data are processed (see item #6);

  • Methods of data processing (see item #9);

  • Contact details of the data controller and any data processors (see item no. 3);

  • Subjects to whom data are disclosed (see point 3/a);

  • Storage time and data processing (see section 10 and 6);

  • Right to file a complaint before the Privacy Guarantor by accessing the following link:
    http://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-nostri-dati-personali

  • Existence or non-existence of profiling process;

  • Legal basis for processing (see point no. 11 and 6);

Then there are rights that are not merely informational but operational. They are of various kinds. In summary:

  • The data subject has the right to have a copy of the data he or she has provided. If the data have been processed by automated methods and on the basis of your consent or a contract, you may request-if technically possible-that the data be transmitted to the same data subject or even to a possible new data holder (portability), provided that this operation does not affect the rights (and data) of other persons. Therefore, this right in the present case cannot be exercised in relation to communications that contain third-party data, trade secrets or otherwise protected content. In such a case, he can also request the deletion of the data (unless the law requires the Holder to retain it, as in the case of commercial communications).

  • If personal data are inaccurate or incomplete, the data subject may ask for them to be corrected or completed by providing indications to that effect. If the Data Controller needs to verify the accuracy of the data challenged by the data subject, the data subject can in the meantime obtain the limitation of the challenged data (limitation means that the data is only retained and no other processing is done with it except with specific consent of the data subject or if it is needed to exercise or defend a right in court).

  • If personal data are no longer necessary for the purposes for which they were collected or otherwise processed, the data subject may request their deletion. If, however, the data is needed by the data subject to exercise his or her right in court, he or she may request that the data be restricted (i.e., retained only).

  • If the processing is unlawful because the data is processed in the absence of consent, legitimate interest on the part of the Data Controller, contract for the performance of which the processing itself is necessary, legal obligation to process by the Data Controller, the data subject may request deletion or restriction.

For a more detailed general statement of rights :

Right of access: You have the right to obtain confirmation from the data controller that personal data concerning you are being (or are not being) processed, the purposes (i.e., the purposes) for which your personal data are being processed, what personal data are being processed (and, as mentioned, for what purposes), to whom the data are possibly communicated or transferred (and where), the storage and processing time of the data, whether a profiling process (i.e., data analysis with related evaluation of the behavior, tastes, location, etc. of the data subject) is taking place.

If the data were collected by someone other than the data controller, the right of access also includes the right to ask from whom the data controller itself received the data.

Finally, the data subject has the right to request a copy of his or her data: if not directly downloadable from his or her personal account, the copy will be provided in computer format, unless the data subject requests it in a different format (see Art. 15 GDPR).

Right of rectification: The data subject has the right to obtain rectification, i.e., correction, if his or her personal data are inaccurate (in case of doubt as to correctness, see also what is said about the right to limitation: in which case in fact the data will be retained, not processed for the purposes for which they are normally processed, until the owner has verified or not the accuracy of the data). In the event that the data are incomplete, and completion is necessary or appropriate for the purposes for which they are processed, the data subject may obtain supplementation of the data, if necessary by providing a supplementary statement himself for this purpose.

Right to erasure of data: the data subject has the right to obtain erasure of data in the following cases:

  • your data no longer serve the purposes for which it was collected or otherwise processed;

  • the data were processed on the basis of consent that the data subject has withdrawn (unless other legal reasons, such as performance of a contract, fulfillment of an obligation imposed by law on the data controller, remain as justification for the processing);

  • the data subject has objected to the processing (see opposition): if objected to in the case of direct marketing, the data – if used only for that purpose – must be deleted (and in any case can no longer be processed for direct marketing purposes), while in other cases (i.e., if the data are processed for other legitimate interests of the Data Controller stated in the disclosure or for the performance of a public interest task by the Data Controller) they are deleted only if no overriding reason exists (see opposition) that require its preservation. For the time it takes to determine whether there are “overriding reasons” may be limited;

  • the data have been processed unlawfully, thus without the right of the owner (as an alternative to deletion, the data subject may request restriction, as indicated below);

  • data must be deleted due to legal obligation;

  • the data concern minors under the age of 16, were collected in the context of offering information society (online) services, and no parental consent or authorization for processing was given.

Deletion is not performed, however, in the following cases:

  1. if the data are processed as part of a legitimate exercise of freedom of expression or information (in the opinion of the data controller, subject to the data subject’s right to appeal to the Guarantor or the Judge as indicated above);

  2. if the data processing is necessary to comply with a legal obligation to which the Data Controller is subject, or for the performance of a task carried out in the public interest by the Data Controller;

  3. Whether the data are processed for reasons of public order or public health;

  4. if the data are stored for public interest, scientific or historical research, as long as they are anonymized if possible, or at least pseudonymized (i.e., processed in such a way that the data subject cannot be identified except by information additional to that immediately available), and the minimum data necessary for these purposes is used.

  5. If the data processing is necessary for the exercise or defense of a right in judicial (criminal) proceedings;

Right to limitation: is the right to mark data and limit its use to storage only. In that case, therefore, the Holder does not delete them, but only retains them without doing any other form of processing. The owner retains them separately from others only if requested to do so by the data subject: indeed, it may be that the data subject has an interest in having the data, though only retained for the purpose of limitation, remain in the original location.

The right to limitation exists in the following cases:

  • if the data subject disputes the accuracy of the data, for the period necessary to verify the accuracy of the data (see what has been said about the right of rectification);

  • if the processing is unlawful and the data subject does not ask for its deletion, but asks precisely for its limitation only (so that he or she can probably then exercise his or her rights);

  • if the processing is no longer necessary for the purposes for which the data were collected or processed, but the data are necessary to the data subject himself or herself for the establishment, exercise or defense of a right in a court of law (in which case, therefore, although the data no longer need to be processed, they are retained because, precisely, they are necessary in a court of law for the data subject);

  • whether there has been opposition to processing (not in the case of opposition to the processing of data for direct marketing), and the owner must check whether there are overriding reasons why the processing is necessary (see right to erasure, item no. 3 and opposition).

The data subject is informed by the owner if the restriction is lifted. The information will give an account of the time of revocation, and the data processing that will take place after such revocation.

14: HOW HE CAN EXERCISE THEM

Procedure for exercising rights: User rights can be exercised by sending an email to amministarazione@artigiantubi.it.
The Owner must respond within thirty days (which may be extended by another two months, but the Owner in this case must give reasoned notice of the delay to the user).
The Owner may refuse, if it has reason to do so, to act on the user’s request (such refusal to be communicated to the user within one month) only in the case of manifestly unfounded or repetitive requests. He must give a reasoned response in that case. In any case, the user can appeal to the “Privacy Guarantor” (see link below) or to the Judge.

The Owner must respond using the same channel (email, telephone, etc.) used by the user for the request, unless the user requests a response by a different route. In the case of a request coming from an email address other than the one listed in the account, the requester must prove that he/she is the interested party.

The Holder, where it has doubts about the identity of the person making the request or exercising any of the rights that are listed below, may request additional information to confirm the identity of the applicant. In the case of a request coming from an email address other than the one listed in the account, the requester must prove that he/she is the interested party.

Requests and responses are free unless they are repetitive. In the latter case, the Holder may charge for the out-of-pocket costs it faces in responding (so personnel costs, material costs, etc.).

In any case, the person concerned may appeal to the Supervisory Authority (
http://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-nostri-dati-personali
) or to the competent Jurisdictional Authority to exercise their rights.

16 WHAT ARE THE DUTIES AND BURDENS OF USERS

The User is obliged to report truthful data.

It is the User’s responsibility to notify the Controller of any changes that have occurred to the personal data previously disclosed.

17: DATA BREACH HYPOTHESIS

In the event that one or more of the following events should occur with respect to Users’ data: unauthorized access, misappropriation, loss, destruction, disclosure, modification (so-called Data breach) Artigiantubi, without prejudice to the urgent technical measures to be put in place to block (as far as possible) the event and to reduce its damaging effects, undertakes to:

– restore the service efficiently as soon as possible by recovering available data from the last useful backup made;

– to inform Users, either directly if circumstances permit or generically (by means of a notice on the home page of the website or by means of a communication sent to all Users, including those for whom there may have been no data events) of the type of event, the time in which it occurred, the measures taken (without going into detail in order not to facilitate any new attacks) to reduce the damage and to avoid new similar events, as well as the measures and expedients that the User should – on his part – put in place to reduce the likelihood of new events and limit the consequences of those that have already occurred.